Evolution of a threat: Expect ransomware targets, methods to broaden

Criminals expand turf with malware that can do more than encrypt data

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

As many secu­ri­ty experts pre­dict­ed, 2016 became the “year of extor­tion.” Ran­somware rose to the top of the most pro­lif­ic and most lucra­tive mal­ware threats.

But as much as the bad actors had a ban­ner year, they may be just warm­ing up.

Ran­somware is the new scourge of the inter­net. It’s real­ly an epi­dem­ic and … the No. 1 wor­ry for IT pros,” says Stu Sjouw­er­man, CEO of KnowBe4, a provider of cyber­se­cu­ri­ty aware­ness training.

Relat­ed: Ran­somware hits keep coming—and vic­tims keep paying

Some secu­ri­ty vendors—including Trend Micro and McAfee—expect to see ran­somware peak lat­er this year and its growth to plateau.

But that doesn’t mean orga­ni­za­tions will be able to breathe easy. The threat will con­tin­ue to grow as the bad actors diver­si­fy both their tar­gets and methods.

Fac­tors that will play into the grow­ing ran­somware trend include the aver­age users’ over­es­ti­ma­tion of their abil­i­ty to iden­ti­fy phish­ing as a social engi­neer­ing attack, says Joe Opac­ki, the vice pres­i­dent of threat research at Phish­Labs, which pro­vides fraud and phish­ing protection.

Added to that weak human link is the low bar­ri­er to entry for this type of crime.

Joe Opacki, PhishLabs vice president of threat research
Joe Opac­ki, Phish­Labs vice pres­i­dent of threat research

As long as it con­tin­ues to be an easy crime and peo­ple over­es­ti­mate their abil­i­ty to iden­ti­fy the threat vec­tor, it (ran­somware) will con­tin­ue to be very prof­itable,” says Opac­ki, whose career has includ­ed advanced dig­i­tal foren­sics at the FBI.

What to expect 

Phish­Labs’ recent­ly released report on 2017 phish­ing trends and intel­li­gence not­ed that last year saw an evo­lu­tion in tac­tics. Rather than tar­get­ing indi­vid­u­als, attack­ers shift­ed their focus to orga­ni­za­tions, espe­cial­ly to those that are more like­ly to pay ran­som. This shift will con­tin­ue to play out as attack­ers expand to new turf.

Some 2017 trends not­ed in the Phish­Labs report:

• A con­tin­u­ing move to oth­er plat­forms, such as Mac OS X, Lin­ux and mobile

• The exploita­tion of Inter­net of Things vul­ner­a­bil­i­ties by ran­somware actors

• An expand­ed func­tion­al­i­ty of ran­somware, such as extri­cat­ing data, enrolling com­put­ers into bot­nets, and har­vest­ing login credentials.

Hack­ers stretch their wings

The notion behind the expan­sion of plat­forms stems part­ly from the over­all high­er inter­est in writ­ing mal­ware, says Joshua Shilko, Phish­Labs’ secu­ri­ty threat ana­lyst and ran­somware expert.

Last year we saw … mul­ti­plat­form mal­ware, includ­ing mul­ti­plat­form ran­somware being writ­ten,” he says. “So you can write one pay­load and build it so it can run on Win­dows, Unix, OS X and Linux.”

Mobile devices also are a grow­ing area of inter­est for attack­ers. The newest ran­somware, tar­get­ing Android phones, was dis­cov­ered in the Google Play Store in January.

Bad guys haven’t yet spent too much time on [mobile phones], but it’s only a mat­ter of time,” Sjouw­er­man says.

More con­tex­tu­al attacks

Markus Jakob­s­son, chief sci­en­tist at email-secu­ri­ty ven­dor Agari, expects ran­somware pur­vey­ors to become bet­ter at using the right con­text for spear phish­ing attacks. These are emails that may be from strangers, but the con­tex­tu­al infor­ma­tion makes it look legit.

One exam­ple was the spear phish­ing cam­paign by Russ­ian hack­ers sent to think tanks and non­govern­ment orga­ni­za­tions imme­di­ate­ly after the U.S. elec­tion. The emails focused on top­ics such as nation­al secu­ri­ty, and some appeared to be for­wards from the Clin­ton Foun­da­tion dis­cussing the elec­tion results. At least one ver­sion used a com­pro­mised Har­vard account.

The con­text was right because peo­ple who received the email were primed to want to read about this topic—it was per­fect social engi­neer­ing,” says Jakob­s­son, who recent­ly released the book “Under­stand­ing Social Engi­neer­ing Based Scams.”

He says that Agari began see­ing trick­le-down attacks from that cam­paign about three weeks lat­er, slight­ly retooled to tar­get enter­pris­es and indi­vid­u­als with high net worth.

At that point it was weaponized to be ran­somware,” he says.

Lever­ag­ing stolen email credentials

Anoth­er tac­tic of grow­ing con­cern is the reuse of login cre­den­tials stolen in a data breach. That would include the two mas­sive Yahoo breach­es dis­closed last year that impact­ed a total of 1.5 bil­lion accounts.

This is espe­cial­ly a prob­lem, Opac­ki says, because many online ser­vices and soft­ware-as-a-ser­vice providers use email address­es instead of unique user names for logins. Because peo­ple often reuse pass­words, cyber crim­i­nals can cre­ate “pass­word reuse packs” to attack oth­er web­sites and services.

We believe there’s going to be a shift in focus for cyber­crim­i­nals … to use a pass­word reuse attack in mul­ti­ple places,” he says.

Jakob­s­son says in the case of Yahoo, bad actors also could use com­pro­mised email accounts to boot­strap future attacks by har­vest­ing con­tex­tu­al infor­ma­tion. For exam­ple, auto­mat­ed scan­ners could iden­ti­fy accounts that could be used as launch­pads for new attacks, as well as to iden­ti­fy accounts con­nect­ed to poten­tial tar­gets such as indi­vid­u­als with high net worth.

It’s not promi­nent at this point, but we’re see­ing it as a very pow­er­ful and suc­cess­ful attack that we think will come up in the future,” he says.

Sjouw­er­man thinks ran­somware is still in its ear­ly stages. He points to the quick pro­lif­er­a­tion of soft­ware after start­ing slow­ly more than 20 years ago.

You will see the same expo­nen­tial growth over time in ran­somware,” he says, “sim­ply because ran­somware has a fast return on investment.”

More sto­ries relat­ed to evolv­ing ransomware:
Threat of ran­somware grow­ing for mobile phones
Ran­somware attacks are a fact of life, so real-time detec­tion, response is critical
With rise of ran­somware, keep­ing intrud­ers out of net­work is crucial